In Bulgaria, the Financial Supervision Commission (FSC) is the designated national authority responsible for licensing and oversight of CASPs. The Bulgarian National Bank (BNB) oversees entities dealing with electronic money tokens.

Yes. In addition to capital requirements, MICA requires that CASPs maintain a safeguard based on their fixed overheads from the previous year. Specifically, providers must hold financial resources equal to at least one-quarter of their fixed overheads, which are to be reviewed annually. 

For CASPs that have been operating for less than one year, the fixed overheads are calculated based on their projected expenses for the first 12 months, as submitted during their application for authorization.

To ensure that the fixed overheads reflect only the essential operational costs, MICA outlines certain deductions from the total expenses that CASPs must apply when calculating their fixed overheads. MiCA itself does not define “fixed overheads,” but ESMA adopts a methodology for calculating them. 

Fixed overheads equals to: Total expenses minus Variable costs

Fixed overheads include:

• Salaries and rent
• IT infrastructure and operational expenses
• Insurance premiums
• Utilities and equipment leasing
• Depreciation and amortisation
• Non-performance-linked management costs

Excluded from fixed overheads:

• Fees or commissions paid directly to clients or agents
• Non-recurring expenses
• Bonuses linked to revenue or trading activity
• Discretionary remuneration: Fully discretionary appropriations of profits or other variable remuneration are also deducted.
• Non-recurring expenses: Expenses that are not part of ordinary activities are excluded from the calculation.

Yes. Smaller CASPs may leverage insurance coverage as a practical strategy to meet MiCA’s fixed overheads requirements. By securing appropriate insurance policies, these firms can manage and mitigate overhead obligations without depending entirely on their own capital reserves. This method supports regulatory compliance while preserving financial stability. 

For CASPs with constrained liquidity, insurance offers a viable alternative that helps fulfill MiCA’s obligations and promotes long-term growth and efficient operations.

Currently almost none of the insurance companies offer such a solutions, but Virtuopay has established a partnership relationships with such an insurance brokerage.

Companies registered with the National Revenue Agency as virtual currency service providers under the Anti-Money Laundering Act, as of 30 December 2024, are permitted to continue their operations until 1 July 2026 without the need for a full MiCA license. This grace period gives them the opportunity to align with the upcoming regulatory framework by establishing internal policies, meeting capital thresholds, and setting up compliance structures. After 1 July 2026, all crypto businesses aiming to operate legally in Bulgaria – or use the EU passporting regime – must obtain a MiCA license.

Companies registered between 30 December 2024 and 08 July 2025 (the date of entry into force of the new law), must submit an application for a license within 3 months. The period starts from July 8, 2025.

No. The Bulgarian Act fully transposes MiCA’s requirements without significant variation. Licensing timelines, capital, governance, AML/KYC, cybersecurity, safeguarding, and suitability are aligned with EU Regulation (EU) 2023/1114.

No. Unlike some drafts, Bulgaria’s passed law eliminates “tacit refusal”-lack of response does not equate to denial. The FSC must follow MiCA’s defined approval timelines and cannot impose de facto rejections by silence.

Respective state fees are listed collected by the competent authority are listed below.

SC shall, within 25 working days of receipt of an application, assess whether that application is complete by checking that the information listed in Article 62(2) has been submitted. FSC shall within 40 working days from the date of receipt of a complete application, assess whether the applicant crypto-asset service provider complies with MiCA and shall adopt a fully reasoned decision granting or refusing an authorisation as a crypto-asset service provider. FSC shall notify the applicant of their decision within five working days of the date of that decision. That assessment shall take into account the nature, scale and complexity of the crypto-asset services that the applicant crypto-asset service provider intends to provide.

To be licensed as a Crypto-Asset Service Provider (CASP) under the Markets in Crypto-Assets Regulation (MiCA), a company must submit a full application to the competent authority of the EU Member State where it is incorporated. This submission must clearly show that the applicant complies with all relevant requirements related to structure, operations, prudential safeguards, and governance as outlined in Articles 59 through 63, as well as Annex I of the Regulation.

A central component of the application is the programme of operations, which must provide a clear and structured explanation of the crypto-asset services to be offered. It should define the types of crypto-assets involved, the target client segments, the geographical reach of the services, and any outsourcing arrangements foreseen. Accompanying this, the business plan must explain the firm’s business model in detail and include financial projections for the upcoming three years-covering expected profit and loss accounts, balance sheets, capital adequacy estimates, income sources, and planned funding.

Applicants must also outline their internal structure, including the legal status and ownership framework of the entity. This must be supported by an organisational chart indicating departments, reporting chains, and staffing levels. Disclosure is also required for all shareholders or beneficial owners holding a significant interest-whether directly or through intermediaries.

Governance standards form a key part of the authorisation process. The applicant must present a complete list of management and board members, along with their professional resumes and documentation verifying a clean criminal record, thereby confirming their fitness and propriety. In addition, the application should include internal policies and operational procedures addressing risk controls, audit, complaints handling, internal governance, and business continuity.

An explanation of the applicant’s IT and cybersecurity framework must be included, describing how the systems will ensure data security and operational integrity. The firm must also provide a clear account of how it intends to safeguard client assets-demonstrating the separation of client funds or crypto-assets from the firm’s own holdings, and detailing the custody arrangements in place.

Under MiCA and ESMA guidance, Fit & Proper assessments primarily apply to: 

• Members of the management body (executive and non-executive directors) 
• Persons effectively directing the CASP (e.g., CEO, COO, Compliance Officer) 
• Key function holders, especially in: Compliance Risk management AML/CFT 
• Internal audit (if applicable)

While MiCA does not explicitly require assessments for all employees, ESMA recommends that firms ensure competence and integrity of all relevant staff, particularly those involved in providing crypto-asset services.

• Good reputation

•  Clean criminal and regulatory record;
• No past involvement in financial misconduct, fraud, money laundering, or tax evasion;
• No disqualification from professional roles;

• Knowledge, skills, and experience

• Demonstrated expertise in crypto-assets, financial markets, or regulated services;
• For Compliance/AML/Risk roles: proven relevant technical and operational knowledge;
• Qualifications, training, and previous positions held in regulated environments.

• Necessary time commitment 

• Sufficient time to perform the role effectively; 
• Avoidance of excessive external mandates or conflicts of interest;

The burden of proof lies with the applicant – CASPs must submit full documentation for each relevant person as part of the MiCA application package

The following act is applicable: Regulation (EU) 2022/2554 on the operational resilience of digital technologies in the financial sector (“DORA”, or “the Regulation”) aims to strengthen the resilience of digital technologies in the financial sector by imposing harmonised requirements for risk management, reporting, testing and management of relationships with third parties. DORA entered into force on 16 January 2023 and applies from 17 January 2025.

The application shall include the technical documentation of the ICT systems and security arrangements, and a description thereof in non-technical language.

Crypto-asset service providers shall employ appropriate and proportionate resources and procedures, including resilient and secure ICT systems as required by Regulation (EU) 2022/2554.

CASPs must establish and maintain:

• Access control policies, including multi-factor authentication;
• Monitoring systems and audit logs;
• Incident detection and response plans.

Although MiCA does not directly regulate AML/CFT, CASPs are obliged entities under Directive (EU) 2015/849 (AMLD5/6) and the Bulgarian AML Act and must implement: 

• Risk-based customer due diligence (CDD);
• Enhanced due diligence (EDD) for high-risk clients;
• Appointment of a compliance officer with AML responsibility;
• Ongoing monitoring and suspicious transaction reporting.

Common grounds include: 

• Weak governance or control environments; 
• Insufficient capital or lack of ongoing own funds;
• Poor safeguarding, ICT security, or continuity planning;
•  Inadequate AML/KYC systems;
• Key personnel failing Fit & Proper assessments;

Once a CASP is authorised under MiCA in one EU Member State, it may offer its services across the EU without requiring additional licenses in each Member State. The provision of services in accordance with the reverse solicitation principle is only possible within a very narrow framework, which is emphasized by the recent publication of the relevant guidelines by the European Securities and Markets Authority (ESMA).

Penalties are stipulated both in the MiCA Regulation and its transposition into Bulgarian law through the local act. For initial violations, administrative fines may amount to the greater of BGN 5 million or 6.25% of the offender’s total worldwide annual turnover. In the event of a repeated breach, the penalty can rise to the greater of BGN 10 million or 12.5% of global annual turnover.

FSC also has the right to: 

• order an immediate suspension of a crypto-asset service for up to 30 working days or impose a permanent ban;
• halt or prohibit a public offer or the trading of certain crypto-assets on a platform;
• compel issuers or CASPs to amend or withdraw white-papers and marketing materials that are incomplete or misleading;
• dismiss individual board members or senior managers responsible for violations; 
• publish every enforcement measure and penalty on its website.